Protecting ecc against fault attacks

ABSTRACT

A method for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field    p , including: defining an integer r and a group  ′={γ( )| ∈ /r } represented with elements having a group law that coincides with a group law used in the representation for E(   p ) and isomorphic to an additive group ( /r ) +  through isomorphism γ; forming a combined group E(   p )× ′ E(   p )×( /r ) +  which is isomorphic to a cross product of the groups E(   p ) and ( /r ) + ; selecting an element   in  /r  and defining an element P′=γ( ) in group  ′; forming a combined element {circumflex over (P)}=CRT (P, P′) in the group E(   p )× ′; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(   p )× ′; calculating k  in  /r ; and checking whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k ).

TECHNICAL FIELD

Various exemplary embodiments disclosed herein relate generally toprotecting elliptic curve cryptography (ECC) implementations againstfault attacks.

BACKGROUND

Techniques such as Blomer-Otto-Seifert (BOS) method have been developedfor combating fault attacks in ECC systems. The BOS system does addsignificant additional processing to ECC systems though.

SUMMARY

A brief summary of various exemplary embodiments is presented below.Some simplifications and omissions may be made in the following summary,which is intended to highlight and introduce some aspects of the variousexemplary embodiments, but not to limit the scope of the invention.Detailed descriptions of an exemplary embodiment adequate to allow thoseof ordinary skill in the art to make and use the inventive concepts willfollow in later sections.

Various embodiments relate to a method for protecting against faults ina computation of a point multiplication Q=[k]P on an elliptic curve Edefined over a prime field

_(p), including: defining an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E(

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism γ; forming a combined group E(

_(p))×

G′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E(

_(p)) and (

/r

)⁺; selecting an element

in

/r

and defining an element P′=γ(

) in group

′; forming a combined element {circumflex over (P)}=CRT (P, P′) in thegroup E(

_(p))×

′; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in thecombined group E(

_(p))×

′; calculating k

in

/r

; and checking whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k

).

Further various embodiments relate to a non-transitory machine-readablestorage medium encoded with instructions for protecting against faultsin a computation of a point multiplication Q=[k]P on an elliptic curve Edefined over a prime field

_(p), including: instructions for defining an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E(

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism instructions for forming a combined group E(

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E(

_(p)) and (

r

)⁺; instructions for selecting an element

in

/r

and defining an element P′=γ(

) in group

′; instructions for forming a combined element {circumflex over (P)}=CRT(P, P′) in the group E(

_(p))×

′; instructions for calculating {circumflex over (Q)}=[k]{circumflexover (P)} in the combined group E(

_(p))×

′; instructions for calculating k

in

/r

; and instructions for checking whether {circumflex over (Q)}≡Q′ (mod r)where Q′=γ(k

).

Further various embodiments relate to device for protecting againstfaults in a computation of a point multiplication Q=[k]P on an ellipticcurve E defined over a prime field

_(p), including: a memory; and a processor in communication with thememory, the processor configured to: define an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E(

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism γ; form a combined group E(

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E(

_(p)) and (

/r

)⁺; select an element

in

/r

and defining an element P′=γ(

) in group

′; form a combined element {circumflex over (P)}=CRT (P, P′) in thegroup E(

_(p))×

′; calculate {circumflex over (Q)}=[k]{circumflex over (P)} in thecombined group E(

_(p))×

′; calculate k

in

/r

; and check whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k

).

Various embodiments are described, wherein when {circumflex over (Q)}≡Q′(mod r) output Q={circumflex over (Q)} mod p and otherwise return anerror.

Various embodiments are described, wherein

′ is a set of points (

, 1) on a twisted Edwards curve.

Various embodiments are described, wherein

′ is a set of points (

, 1) on a Jacobi quartic curve.

Various embodiments are described, wherein

′ is a set of points (

, 1, 1) on a Jacobi quadratics intersection curve.

Various embodiments are described, wherein

′ is a set of points (

, −1) on a Hessian curve.

Various embodiments are described, wherein

′ is a set of points (

, c

) on a Huff curve, where c is any value in

/r

.

Various embodiments are described, wherein

′ is a set of points (

: 1:

³) on a Weierstrass curve.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to better understand various exemplary embodiments, referenceis made to the accompanying drawings, wherein:

FIG. 1 illustrates a method for protecting against faults in thecomputation of a point multiplication Q=[k]P on an elliptic curve Edefined over the prime field

_(p).

To facilitate understanding, identical reference numerals have been usedto designate elements having substantially the same or similar structureand/or substantially the same or similar function.

DETAILED DESCRIPTION

The description and drawings illustrate the principles of the invention.It will thus be appreciated that those skilled in the art will be ableto devise various arrangements that, although not explicitly describedor shown herein, embody the principles of the invention and are includedwithin its scope. Furthermore, all examples recited herein areprincipally intended expressly to be for pedagogical purposes to aid thereader in understanding the principles of the invention and the conceptscontributed by the inventor(s) to furthering the art, and are to beconstrued as being without limitation to such specifically recitedexamples and conditions. Additionally, the term, “or,” as used herein,refers to a non-exclusive or (i.e., and/or), unless otherwise indicated(e.g., “or else” or “or in the alternative”). Also, the variousembodiments described herein are not necessarily mutually exclusive, assome embodiments can be combined with one or more other embodiments toform new embodiments.

Elliptic curve cryptography (ECC) is an interesting alternative toRivest-Shamir-Adleman (RSA) cryptography because the keys are muchshorter for a same conjectured security level. Given a point P on anelliptic curve E and an integer k, the basic operation includescomputing the scalar multiplication [k]P, that is, P⊕P⊕ . . . ⊕P (ktimes) where ⊕ denotes the group operation on E. The goal of an attackeris to recover the value of k (or a part thereof) by inducing faults.

For RSA cryptographic systems, Shamir's countermeasure was developed.Shamir's countermeasure generalizes to elliptic curve scalarmultiplication and is known as the Blomer-Otto-Seifert (BOS)countermeasure. The BOS countermeasure method is as follows.

Suppose one has to compute Q=[k]P on an elliptic curve E defined overthe prime field

_(p) and given by the Weierstraß equation y²=x³+ax+b.

-   -   1. For a (small) prime r, define an elliptic curve E′ over        _(r) and a point P′ on E′;    -   2. Form the combined curve Ê=CRT (E, E′) over        /rp        and the combined point {circumflex over (P)}=CRT (P, P′) (where        CRT is the Chinese remainder theorem; whose application is        defined below);    -   3. Compute {circumflex over (Q)}=[k]{circumflex over (P)} on Ê;    -   4. Compute Q′=[k]P′ on E′;    -   5. Check whether {circumflex over (Q)}≡Q′ (mod r), and        -   if so, output Q={circumflex over (Q)} mod p;        -   if not, return error.

The following observations of the BOS countermeasure method are noted.If y²=x³+a′x+b′ is the equation defining the elliptic curve E′ over

_(r), CRT (E, E′) denotes the elliptic curve over

/rp

given by the equation y²=x³+âx+{circumflex over (b)} where â=CRT (a(mod_(p)), a′ (mod r)) and {circumflex over (b)}=CRT (b (mod p), b′ (modr)); i.e., such that â≡a (mod p) and â≡a′ (mod r), and the same for{circumflex over (b)}. Point {circumflex over (P)} is defined similarlyfrom the coordinates of points P and P′.

In a concrete implementation, prime r, curve E′ and point P′ areprecomputed so that the order of point P′ on E′, ord_(E′)(P′), ismaximal. The value of n:=ord_(E′)(P′) together with r, the curveparameters, and point P′ may be stored in non-volatile memory. Thispresents the further advantage in that the calculation of Q′ in Step 4of the BOS countermeasure method may be performed more efficiently asQ′=[k mod n]P′.

In order to avoid a single point of failure, infective computation ispreferred to implement the final test of Step 5 of the BOScountermeasure method. For example, for Step 5, one could perform thefollowing steps instead:

-   -   5.1. compute c_(x)=(x({circumflex over (Q)})+1−x({circumflex        over (Q)}′)) mod r and c_(y)=(y({circumflex over (Q)})+1−y(Q′))        mod r, where x({circumflex over (Q)}) and y({circumflex over        (Q)}) respectively denote the x- and y-coordinate of point        {circumflex over (Q)} and similarly for point Q′;    -   5.2. Choose a K-bit random integer ρ and compute

${\gamma = \left\lfloor \frac{{\rho \; c_{x}} + {\left( {2^{\kappa} - \rho} \right)c_{y}}}{2^{\kappa}} \right\rfloor};$

and

-   -   5.3. return Q=[γ]R on E where R={circumflex over (Q)} (mod p).        It can be checked that when {circumflex over (Q)}≡Q′ (mod r),        c_(x) and c_(y) are both equal to 1, which leads to γ=1.        Otherwise, γ is a random value and the returned point Q is a        random point.

As discussed above, the BOS fault countermeasure method requires theprior generation and storage of a prime r, an elliptic curve E′ over

_(r), and a point P′ on E′ of large order. For better performance, theorder n of P′ should also be pre-stored.

Another countermeasure is presented in Y.-J. Baek and I. Vasyltsov, “Howto prevent DPA and fault attacks in a unified way for ECC scalarmultiplication: Ring extension method,” in E. Dawson and D. Wong,editors, Information Security Practice and Experience—ISPEC 2007, volume4464 of LNCS, pages 225-237. Springer, Heidelberg, 2006. Compared to J.Blömer, M. Otto, and J.-P. Seifert, “Sign change fault attacks onelliptic curve cryptosystems, in L. Breveglieri et al., editors, FaultDiagnosis and Tolerance in Cryptography—FDTC 2006, volume 4236 of LNCS,pages 36-52. Springer, Heidelberg, 2006, Baek-Vasyltsov does not requireprecomputed values and does not assume that the randomizer r is a primeinteger. Numerical experiments conducted in M. Joye, “On the security ofa unified countermeasure,” in L. Breveglieri et al., editors, 5thWorkshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008),pages 87-91. IEEE Computer Society, 2008, however show that anon-negligible proportion of faults is undetected and that largerbit-lengths for r should be used.

More effective countermeasures are given in M. Joye, “Edwards curves andfault attack,” presented at the rump session of CRYPTO 2012, SantaBarbara, USA, Aug. 21, 2012, available athttp://crypto.2012rump.cr.yp.to/ and S. Neves and M. Tibouchi,“Degenerate curve attacks—extending invalid curve attacks to Edwardscurves and other models, in C.-M. Cheng, K.-M. Chung, G. Persiano, andB.-Y. Yang, editors, PKC 2016, Part II, volume 9615 of LNCS, pages19-35, Springer, Heidelberg, March 2016. They essentially follow thesame approach. The idea is to rely on a shortcut for the evaluation ofQ′=[k]P′ on E′ by an appropriate choice for E′. In Joye, E′ is chosen asthe subgroup of points on an elliptic curve over

/r²

that reduce to 0 modulo r. In Neves-Tibouchi, E′ is chosen as the groupof points on a degenerate curve over

_(r).

The method in Joye presents the disadvantage that fault attacks whosedetection probability depends on the order of point P′ implies a twicelonger value for r. Indeed, the subgroup of points considered in Joyefor E′ has order r whereas the corresponding curve is defined modulo r².In turn, the combined curve Ê is defined over

/r²p

, which is more demanding for the evaluation of {circumflex over (Q)} onÊ.

The combined curve in Neves-Tibouchi is defined over

/rp

where r is prime. However, most elliptic curve models (the Weierstraßmodel is a notable exception) do not have an additive degeneration: theyeither degenerate to the (r−1)-order multiplicative group

_(r)* or to the (r+1)-order multiplicative subgroup T₂(

_(r)) of elements of norm 1 in

_(r) ₂ *—it is noted that unlike Joye, Neves-Tibouchi assumes that r isprime. The multiplicative degeneration has two drawbacks. First, theshortcut function translates into an exponentiation modulo r(degeneration to

_(r)*) or into the evaluation of Lucas sequences modulo r (degenerationto T₂(

_(r))). Second, whereas it is easy to obtain a generator of the additivegroup (

/r

)⁺, for

_(r)* and T₂(

_(r)), the respective factorization of r−1 or of r+1 is required. Aneasy fix is to increase the size of r so as to increase the probabilitythat the order of P′ as an element of the degenerate curve E′ is large.The limitation on r being a (large) prime incurs computationalcomplexity as r needs to be tested for primality.

Embodiments for more efficiently implementing a countermeasure methodagainst faults for ECC versus the BOS countermeasure method will now bedescribed. As aforementioned, obtaining a generator of the additivegroup (

/r

)⁺ is fairly easy: any non-zero integer co-prime to r generates (

/r

)⁺. Two possible strategies are:

-   -   1. Take 1 as a generator or fix a prime g larger that the        maximum value for r. Then (        /r        )⁺=        1        or (        /r        )⁺=        g        .    -   2. Select r as a prime number. Then any non-zero integer 0<g<r        is a generator of (        /r        )⁺.

The idea of the embodiment is to replace the combined curve Ê in the BOScountermeasure by the group

E(

_(p))×

′

E(

_(p))×(

/r

)⁺

which is isomorphic to the cross product of the groups E(

_(p)) and (

/r

)⁺ and where the group

′ is represented with elements having a group law that coincides (i.e.,is compatible) with the group law used in the representation for E(

_(p)). Such a representation for

′={P′=γ(

)|

∈

/r

} where

${\mathrm{\Upsilon}:{\left( {{{\mathbb{Z}}/r}\; {\mathbb{Z}}} \right)^{+}\overset{\sim}{\rightarrow}^{\prime}}},\left\{ \begin{matrix}{\left. 0\mapsto{\mathrm{\Upsilon}(0)} \right. = 0} \\{\left. \vartheta\mapsto{\mathrm{\Upsilon}(\vartheta)} \right. = P^{\prime}}\end{matrix} \right.$

can easily be identified from the group law in E. This is illustrated inthe next paragraphs with several elliptic curve models commonly used forcryptographic applications.

Because

′ is selected such that γ(

₁)⊕γ(

₂)=γ(

₁+

₂), this means that kγ(

)=γ(k

)=kP′. This means that instead of calculating kP′ as a series of pointadditions on an elliptic curve as in the BOS method, the verificationfor the presence of faults can be performed from the calculation of k

. Because calculating k

is a simple arithmetic multiplication modulo integer r, it is a muchmore efficient calculation versus the point multiplication in the BOSmethod. Accordingly, Step 4 of the BOS method may be replaced by a muchmore efficient operation.

This method is fully generic and can readily be adapted to any ellipticcurve model and corresponding addition formulas. Also, although focusingon protecting elliptic curve computations over prime fields for the sakeof concreteness, this method can be generalized to elliptic curvecomputations over arbitrary rings, including over binary fields.

FIG. 1 illustrates a method for protecting against faults in thecomputation of a point multiplication Q=[k]P on an elliptic curve Edefined over the prime field

_(p). The method 100 starts 105, and then defines an integer r and agroup

′={γ(

)|

∈

/r

} 110 represented with elements having a group law that coincides withthe group law used in the representation for E(

_(p)) and isomorphic to the additive group (

/r

)⁺ through isomorphism γ. Next, the method 100 forms the combined groupE(

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to the cross product of the groups E(

_(p)) and (

/r

)⁺ 115. Then the method 100 selects an element

in

/r

′ and defines the element P′=γ(

) in group

′ 120. Next, the method 100 forms the combined element {circumflex over(P)}=CRT (P, P′) in the group E(

_(p))×

′ 125. The method 100 then calculates {circumflex over(Q)}=[k]{circumflex over (P)} in the combined group E(

_(p))×G′ 130. Next, the method 100, calculates k

in

/r

135. The method then checks whether Q E Q′ (mod r) where Q′=γ(k

) 140, and if so, output Q={circumflex over (Q)} mod p 145, and if not,return an error 150. The method then ends at 155.

Application of the above method will now be described for variouselliptic curves that are used as the basis for ECC.

One elliptic curve to consider is a normal form for elliptic curves in atwisted form that is referred to as the twisted Edwards form. Thetwisted Edwards form, is given by the equation:

E _(∈) _(a,d) :ax ² +y ²=1+dx ² y ².  (1)

The neutral element for this curve is O=(0,1). The addition law isunified. Given two points (x₁, y₁) and (x₂, y₂), their sum (x₃, y₃)=(x₁,y₁)⊕(x₂, y₂) is given by:

$\left( {x_{3},y_{3}} \right) = {\left( {\frac{{x_{1}y_{2}} + {x_{2}y_{1}}}{1 + {{dx}_{1}x_{2}y_{1}y_{2}}},\frac{{y_{1}y_{2}} - {{ax}_{1}x_{2}}}{1 - {{dx}_{1}x_{2}y_{1}y_{2}}}} \right).}$

Applying the general method above to the twisted Edwards form resultsin:

(

/r

)⁺

′={γ(

)=(

,1)|

∈

/r

}⊂{(x,y)∈E _(∈) _(0,0) (

/r

)}.

In more detail, the group (

/r

)⁺ is viewed as the set

′ of points (x, 1) on an Edwards curve (1) with parameters a=d=0, overthe ring

/r

, equipped with the above addition law. When a=d=0, it is easilyverified that:

     Υ(0) = (0, 1) = O, and${{\mathrm{\Upsilon}\left( \vartheta_{1} \right)} \oplus {\mathrm{\Upsilon}\left( \vartheta_{2} \right)}} = {{\left( {\vartheta_{1},1} \right) \oplus \left( {\vartheta_{2},1} \right)} = {\left( {\frac{{\vartheta_{1} \cdot 1} + {\vartheta_{2} \cdot 1}}{1},\frac{1 \cdot 1}{1}} \right) = {\left( {{\vartheta_{1} + \vartheta_{2}},1} \right) = {\mathrm{\Upsilon}\left( {\vartheta_{1} + \vartheta_{2}} \right)}}}}$

as desired.

Another elliptic curve to consider is the Jacobi quartic model. The(extended) Jacobi quartic model assumes an element of order 2. Itsequation is given by:

E _(J) _(a,d) :y ² =dx ⁴+2ax ²+1  (2)

with O=(0,1) as the neutral element. The unified addition of two points(x₁, y₁) and (x₂, y₂), (x₃, y₃)=(x₁, y₁)⊕(x₂, y₂), is given by:

$\left( {x_{3},y_{3}} \right) = {\left( {\frac{{x_{1}y_{2}} + {x_{2}y_{1}}}{1 - {{dx}_{1}^{2}x_{2}^{2}}},\frac{{\left( {1 + {{dx}_{1}^{2}x_{2}^{2}}} \right)\left( {{y_{1}y_{2}} + {2{ax}_{1}x_{2}}} \right)} + {2{dx}_{1}{x_{2}\left( {x_{1}^{2} + x_{2}^{2}} \right)}}}{\left( {1 - {{dx}_{1}^{2}x_{2}^{2}}} \right)^{2}}} \right).}$

The original Jacobi quartics correspond to the case d=k² and −2a=1+k²for some k.

Applying the general method above using the Jacobi quartic model resultsin:

(

/r

)⁺

′={γ(

)=(

∈

,r

}⊂{(x,y)∈E _(J) _(0,0) (

/r

)}.

As it was for the Edwards model, it is readily verified for the Jacobiquartic model that γ(0)=(0,1)=O and, when a=d=0, that

${{\mathrm{\Upsilon}\left( \vartheta_{1} \right)} \oplus {\mathrm{\Upsilon}\left( \vartheta_{2} \right)}} = {{\left( {\vartheta_{1},1} \right) \oplus \left( {\vartheta_{2},1} \right)} = {\left( {\frac{{\vartheta_{1} \cdot 1} + {\vartheta_{2} \cdot 1}}{1},\frac{1 \cdot 1}{1^{2}}} \right) = {\left( {{\vartheta_{1} + \vartheta_{2}},1} \right) = {\mathrm{\Upsilon}\left( {\vartheta_{1} + \vartheta_{2}} \right)}}}}$

as desired.

Another elliptic curve to consider is the Jacobi quadratics intersectionmodel which represents an elliptic curve as the intersection of twoquadrics in

³. The most general form is as follows:

$\begin{matrix}{E_{Q_{a,b}}:\left\{ {\begin{matrix}{{{ax}^{2} + y^{2}} = 1} \\{{{bx}^{2} + z^{2}} = 1}\end{matrix}.} \right.} & (3)\end{matrix}$

The neutral element is O=(0,1,1). The unified sum of two points (x₁, y₁,z₁) and (x₂, y₂, z₂) is given by (x₃, y₂, z₃)=(x₁, y₁, z₁) ED (x₂, y₂,z₂) where:

$\left( {x_{3},y_{3},z_{3}} \right) = {\left( {\frac{{x_{1}y_{2}z_{2}} + {x_{2}y_{1}z_{1}}}{1 - {{abx}_{1}^{2}x_{2}^{2}}},\frac{{y_{1}y_{2}} - {{ax}_{1}z_{1}x_{2}z_{2}}}{1 - {{abx}_{1}^{2}x_{2}^{2}}},\frac{{z_{1}z_{2}} - {{bx}_{1}y_{1}x_{2}y_{2}}}{1 - {{abx}_{1}^{2}x_{2}^{2}}}} \right).}$

Applying the general method above using the Jacobi quadrics intersectionmodel results in:

(

/r

)⁺

′={γ(

)=(

,1,1)|

∈

/r

}⊂{(x,y,z)∈E _(Q) _(0,0) (

/r

)}.

A simple calculation shows that γ(0)=(0,1,1)=O and, when a=b=0, that

${{\mathrm{\Upsilon}\left( \vartheta_{1} \right)} \oplus {\mathrm{\Upsilon}\left( \vartheta_{2} \right)}} = {{\left( {\vartheta_{1},1,1} \right) \oplus \left( {\vartheta_{2},1,1} \right)} = {\left( {\frac{{\vartheta_{1} \cdot 1 \cdot 1} + {\vartheta_{2} \cdot 1 \cdot 1}}{1},\frac{1 \cdot 1}{1},\frac{1 \cdot 1}{1}} \right) = {\left( {{\vartheta_{1} + \vartheta_{2}},1,1} \right) = {\mathrm{\Upsilon}\left( {\vartheta_{1} + \vartheta_{2}} \right)}}}}$

as desired.

Another elliptic curve to consider are the Hessian curves. Hessiancurves have been generalized, modified, and extended for cryptographicapplications. Using for the neutral element the point O=(0, 1), thecurve equation is:

:ax ³ +y ³+1=dxy.  (4)

The unified sum (x₃, y₃)=y₁)⊕(x₂, y₂) of two affine points (x₁, y₁) and(x₂, y₂) is given by:

$\left( {x_{3},y_{3}} \right) = {\left( {\frac{x_{1} - {y_{1}^{2}x_{2}y_{2}}}{{{ax}_{1}y_{1}x_{2}^{2}} - y_{2}},\frac{{y_{1}y_{2}^{2}} - {{ax}_{1}^{2}x_{2}}}{{{ax}_{1}y_{1}x_{2}^{2}} - y_{2}}} \right).}$

Applying the general method above using the Hessian curve above resultsin:

(/r) +  = {Υ) = (, −1) ∈ /r} ⊆ {(x, y) ∈ E_(ℋ_(0, 0))(/r)}.

Again, it can be verified that γ(0)=(0, −1)=0 and that the addition lawwhen a=d=0 yields

${{\mathrm{\Upsilon}\left( \vartheta_{1} \right)} \oplus {\mathrm{\Upsilon}\left( \vartheta_{2} \right)}} = {{\left( {\vartheta_{1},{- 1}} \right) \oplus \left( {\vartheta_{2},{- 1}} \right)} = {\left( {\frac{\vartheta_{1} - {\left( {- 1} \right)^{2}{\vartheta_{2}\left( {- 1} \right)}}}{- \left( {- 1} \right)},\frac{\left( {- 1} \right)\left( {- 1} \right)^{2}}{- \left( {- 1} \right)}} \right) = {\left( {{\vartheta_{1} + \vartheta_{2}},{- 1}} \right) = {\mathrm{\Upsilon}\left( {\vartheta_{1} + \vartheta_{2}} \right)}}}}$

as desired.

Another elliptic curve to consider are the Huff curves. The most generalform is given by the equation:

E _(H) _(a,c,d) :y(ax ²+1)=cx(dy ²+1)  (5)

with neutral element O=(0,0). The unified addition formula of affinepoints (x₁, y₁) and (x₂, y₂) is given by (x₃, y₃)=y₁)⊕(x₂, y₂) where:

$\left( {x_{3},y_{3}} \right) = \left( {\frac{\left( {x_{1} + x_{2}} \right)\left( {1 - {{dy}_{1}y_{2}}} \right)}{\left( {1 - {{ax}_{1}x_{2}}} \right)\left( {1 + {{dy}_{1}y_{2}}} \right)},\frac{\left( {y_{1} + y_{2}} \right)\left( {1 - {{ax}_{1}x_{2}}} \right)}{\left( {1 + {{ay}_{1}y_{2}}} \right)\left( {1 - {{dx}_{1}x_{2}}} \right)}} \right)$

Applying the general method above using the Huff curve above and byfixing c∈

/r

. results in:

(

/r

)⁺

′={γ(

)=(

, c ·

)|

∈

/r

}={(x,y)∈E _(H) _(0,c,0) (

/r

)}.

The correctness is verified by observing that γ(0)=(0,0)=0 and, when (a,c, d)=(0, c, 0), the addition law leads to γ(

₁)⊕γ(

₂)=(

₁, c·

₁)⊕(

₂, c·

₂)=(

₁+

₂, c·

₁+c·

₂)=γ(

₁+

₂) as desired.

The Weierstrass model is the most common way to represent an ellipticcurve. It is given by the equation:

E _(W) _(a,b) :y ² =x ³ +ax+b,  (6)

or using projective coordinates it is given as:

E _(W) _(a,b) :Y ² Z=X ³ aXZ ² +bZ ³.  (7)

The neutral element is the point at infinity O=(0: 1: 0). Unifiedaddition formulas are given by

$\quad\left\{ {\begin{matrix}{X_{3} = {{\left( {{Y_{1}Z_{2}} + {Y_{2}Z_{1}}} \right)\left\lbrack {{a\left( {{{aZ}_{1}Z_{2}} - {X_{1}X_{2}}} \right)} - {3{b\left( {{X_{1}Z_{2}} + {X_{2}Z_{1}}} \right)}}} \right\rbrack} +}} \\{\left( {{X_{1}Y_{2}} + {X_{2}Y_{1}}} \right)\left\lbrack {{Y_{1}Y_{2}} - {a\left( {{X_{1}Z_{2}} + {X_{2}Z_{1}}} \right)} - {3{bZ}_{1}Z_{2}}} \right\rbrack} \\{Y_{3} = {{\left( {{X_{1}Z_{2}} + {X_{2}Z_{1}}} \right)\left\lbrack {{3{b\left( {{3X_{1}X_{2}} - {{aZ}_{1}Z_{2}}} \right)}} - {a^{2}\left( {{X_{1}Z_{2}} + {X_{2}Z_{1}}} \right)}} \right\rbrack} +}} \\{{\left( {{Y_{1}Y_{2}} + {3{bZ}_{1}Z_{2}}} \right)\left( {{Y_{1}Y_{2}} - {3{bZ}_{1}Z_{2}}} \right)} - {a\left\lbrack {\left( {{{aZ}_{1}Z_{2}} + {3X_{1}X_{2}}} \right)\left( {{{aZ}_{1}Z_{2}} - {X_{2}X_{2}}} \right)} \right\rbrack}} \\{Z_{3} = {{\left( {{X_{1}Y_{2}} + {X_{2}Y_{1}}} \right)\left( {{{aZ}_{1}Z_{2}} + {3X_{1}X_{2}}} \right)} +}} \\{\left( {{Y_{1}Z_{2}} + {Y_{2}Z_{1}}} \right)\left\lbrack {{Y_{1}Y_{2}} + {3{bZ}_{1}Z_{2}} + {a\left( {{X_{1}Z_{2}} + {X_{2}Z_{1}}} \right)}} \right\rbrack}\end{matrix}.} \right.$

Applying the general method above using the Hessian curve above resultsin:

(

/r

)⁺

′={γ(

)=(

:1:

³)|

∈

/r

}⊂{(X:Y:Z)∈E _(W) _(0,0) (

/r

)}.

Here again, it can be verified that γ(0)=(0: 1: 0)=O and, when a=b=0,that the above addition formulas yield γ(

₁)⊕γ(

₂)=(

₁: 1:

₁ ³)⊕(

₂: 1:

₂ ³)=(

₁+

₂: 1: (

₁+

₂)3

₁

₂+

₁ ³+

₂ ³)=(

₁+

₂: 1: (

₁+

₂)³)=γ(

₁+

₂) as desired.

The above embodiments list unified addition formulas; that is, theformulas remain valid when the input points are equal (point doubling).Depending on certain conditions (e.g., field characteristic or curveparameters), the formulas are even complete; that is, they can be usedwithout any exception. It is worth noting that in all the previousembodiments the addition formulas are complete in

′. The identity γ(

₁)⊕γ(

₂)=γ(

₁+

₂) is always verified. This implies that randomizer r can be used freelyin the proposed method; in particular, it is not required to be prime.

The methods described above may be implemented in software whichincludes instructions for execution by a processor stored on anon-transitory machine-readable storage medium. The processor mayinclude a memory that stores the instructions for execution by theprocessor.

Any combination of specific software running on a processor to implementthe embodiments of the invention, constitute a specific dedicatedmachine.

As used herein, the term “non-transitory machine-readable storagemedium” will be understood to exclude a transitory propagation signalbut to include all forms of volatile and non-volatile memory. Further,as used herein, the term “processor” will be understood to encompass avariety of devices such as microprocessors, field-programmable gatearrays (FPGAs), application-specific integrated circuits (ASICs), andother similar processing devices. When software is implemented on theprocessor, the combination becomes a single specific machine.

It should be appreciated by those skilled in the art that any blockdiagrams herein represent conceptual views of illustrative circuitryembodying the principles of the invention.

Although the various exemplary embodiments have been described in detailwith particular reference to certain exemplary aspects thereof, itshould be understood that the invention is capable of other embodimentsand its details are capable of modifications in various obviousrespects. As is readily apparent to those skilled in the art, variationsand modifications can be effected while remaining within the spirit andscope of the invention. Accordingly, the foregoing disclosure,description, and figures are for illustrative purposes only and do notin any way limit the invention, which is defined only by the claims.

What is claimed is:
 1. A method for protecting against faults in acomputation of a point multiplication Q=[k]P on an elliptic curve Edefined over a prime field

_(p), comprising: defining an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E (

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism γ; forming a combined group E (

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E(

_(p)) and (

/r

)⁺; selecting an element

in

/r

and defining an element P′=γ(

) in group

′; forming a combined element {circumflex over (P)}=CRT (P, P′) in thegroup E(

_(p))×

′; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in thecombined group E(

_(p))×

′; calculating k

in

/r

; and checking whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k

).
 2. The method of claim 1, wherein when {circumflex over (Q)}≡Q′(modr) output Q={circumflex over (Q)} mod p and otherwise return an error.3. The method of claim 1, wherein

′ is a set of points (

, 1) on a twisted Edwards curve.
 4. The method of claim 1, wherein

′ is a set of points (

, 1) on a Jacobi quartic curve.
 5. The method of claim 1, wherein

′ is a set of points (

, 1, 1) on a Jacobi quadratics intersection curve.
 6. The method ofclaim 1, wherein

′ is a set of points (

, −1) on a Hessian curve.
 7. The method of claim 1, wherein

′ is a set of points (

, c

) on a Huff curve, where c is any value in

/r

.
 8. The method of claim 1, wherein

′ is a set of points (

: 1:

³) on a Weierstrass curve.
 9. A non-transitory machine-readable storagemedium encoded with instructions for protecting against faults in acomputation of a point multiplication Q=[k]P on an elliptic curve Edefined over a prime field

_(p), comprising: instructions for defining an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E(

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism γ; instructions for forming a combined group E(

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E (

_(p)) and (

/r

)⁺; instructions for selecting an element

in

/r

and defining an element P′=γ(

) in group

′; instructions for forming a combined element {circumflex over (P)}=CRT(P, P′) in the group E(

_(p))×

′; instructions for calculating {circumflex over (Q)}=[k]{circumflexover (P)} in the combined group E(

_(p))×

′; instructions for calculating k

in

/r

; and instructions for checking whether {circumflex over (Q)}≡Q′ (mod r)where Q′=γ(k

).
 10. The non-transitory machine-readable storage medium of claim 9,wherein when {circumflex over (Q)}≡Q′ (mod r) output Q={circumflex over(Q)} mod p and otherwise return an error.
 11. The non-transitorymachine-readable storage medium of claim 9, wherein

′ is a set of points (

, 1) on a twisted Edwards curve.
 12. The non-transitory machine-readablestorage medium of claim 9, wherein

′ is a set of points (

, 1) on a Jacobi quartic curve.
 13. The non-transitory machine-readablestorage medium of claim 9, wherein

′ is a set of points (

, 1, 1) on a Jacobi quadratics intersection curve.
 14. Thenon-transitory machine-readable storage medium of claim 9, wherein

′ is a set of points (

, −1) on a Hessian curve.
 15. The non-transitory machine-readablestorage medium of claim 9, wherein

′ is a set of points (

, c

) on a Huff curve, where c is any value in

/r

.
 16. The non-transitory machine-readable storage medium of claim 9,wherein

′ is a set of points (

: 1:

³) on a Weierstrass curve.
 17. A device for protecting against faults ina computation of a point multiplication Q=[k]P on an elliptic curve Edefined over a prime field

_(p), comprising: a memory; and a processor in communication with thememory, the processor configured to: define an integer r and a group

′={γ(

)|

∈

/r

} represented with elements having a group law that coincides with agroup law used in the representation for E(

_(p)) and isomorphic to an additive group (

/r

)⁺ through isomorphism Y; form a combined group E(

_(p))×

′

E(

_(p))×(

/r

)⁺ which is isomorphic to a cross product of the groups E (

_(p)) and (

/r

)⁺; select an element

in

/r

and defining an element P′=γ(

) in group

′; form a combined element {circumflex over (P)}=CRT (P, P′) in thegroup E(

_(p))×

′; calculate {circumflex over (Q)}=[k]P in the combined group E (

_(p))×

′; calculate k

in

/r

; and check whether {circumflex over (Q)}≡Q′ (mod r) where Q′=γ(k

).
 18. The device of claim 17, wherein when {circumflex over (Q)}≡Q′(mod r) output Q={circumflex over (Q)} mod p and otherwise return anerror.
 19. The device of claim 17, wherein

′ is a set of points (

, 1) on a twisted Edwards curve.
 20. The device of claim 17, wherein

is a set of points (

, 1) on a Jacobi quartic curve.
 21. The device of claim 17, wherein

′ is a set of points (

, 1, 1) on a Jacobi quadratics intersection curve.
 22. The device ofclaim 17, wherein

′ is a set of points (

, −1) on a Hessian curve.
 23. The device of claim 17, wherein

′ is a set of points (

, ĉ

) on a Huff curve, where ĉ is any value in

/r

.
 24. The device of claim 17, wherein

′ is a set of points (

: 1:

³) on a Weierstrass curve.